Could it be that one of the most common credos taught to security professionals is actually leading them astray?
Every practitioner has heard it before: Trust that employees are doing the right thing, but verify that data is protected. Proponents of a new security model, however, argue that while the phrase “trust, but verify” sounds good in theory, the reality is that most security practitioners have been doing the opposite – trusting users by default, but never verifying that data is protected.
“Whoever said, ‘This needs to become a mantra,' missed the mark,” says John Kindervag, a senior analyst at Forrester Research. “It incentivices people to not know what's going on. There is no reason to have any trust in the network.” Kindervag is the driving force behind a new model called “zero-trust” that is gaining support with the security community.
The strategy is based on the idea that security must be made ubiquitous throughout the network, not just at the perimeter. No longer should there be any distinction between a trusted internal network and the untrusted external network. The zero-trust model dictates that all network traffic should be untrusted.
The idea was born to solve a fundamental security problem: Once an attacker penetrates a network, they have unfettered access to the resources inside, Kindervag says. Plus, malicious insiders don't even need to break into the network to abuse its resources.
Consider this: 49 percent of breaches investigated in 2009 by Verizon were linked to insiders. This figure dropped to 17 percent for incidents investigated last year, but according to Verizon, the decrease was attributed to a monumental increase in smaller external attacks, rather than a true reduction in insider activity.
For both years, investigators found that the vast majority of internal breaches were the result of intentional malicious activity.
Key concepts
The zero-trust model aims to mitigate internal and external threats through changes in both security philosophy and network architecture. The model has three core concepts, the first of which is to ensure all network assets are accessed securely, which necessitates using encrypted tunnels.
Next, limit and steadfastly enforce access control across the enterprise, which discourages insiders from abusing or misusing network resources. To do so, Forrester recommends using role-based access control (RBAC) products, which assign individuals to a role that determines what they can access.
The third concept is to log and inspect internal and external network traffic. Most organisations already keep logs, but few actually go so far as to inspect them. For this piece, Forrester suggests using traditional security information management systems in conjunction with so-called network analysis and visibility (NAV) solutions, which include tools to analyse flow data, dissect packet captures, inspect network metadata and facilitate network forensic examination. Such tools can provide security practitioners with a better understanding of what is happening on a network and make it easier to monitor applications.
Going beyond the three essential concepts of zero-trust, the model suggests new network architecture designs that focus on data security from inception. Historically, networks have been built from the outside in – starting with the internet connection and moving inward. Security was bolted on, in layers, after initial design.
Today's networks, Kindervag argues, should be built from the inside out, starting with the system resources and data that need to be protected. “Security is so important that we need to invert the way we design networks so we can embed security into the very DNA of the network,” Kindervag says. “That's what zero-trust is all about.”
The model essentially describes how to break up aspects of a network into different enclaves and protect them, says Eddie Schwartz, CSO at network monitoring and analysis firm NetWitness. “Imagine islands of protection versus all-purpose layers that might fail in some way,” he says. Kindervag warns, though, that zero-trust is not about one particular solution, nor is it a one-time project.
In fact, the first and most important step of adopting the model is free: Security practitioners must stop using the word “trust” as it relates to networking and security. Rather, adopt a mindset that the concept of trust is inappropriate with respect to data security, and spread the message to teams throughout the organization.
Gaining support
First introduced before a small audience at an IT forum last May, zero-trust resonated with people, Kindervag says. The model then gained increasing support once introduced to the masses in the September 2010 paper, “No More Chewy Centres”. One such supporter is FCC Group, a Spanish construction and infrastructure company. With 93,000 employees, a footprint in 54 countries and innumerable contractors with access to the company's networks, insider and third-party threats are a major concern, says Gianluca D'Antonio, the company's CISO.
“When I first heard about the zero-trust model, I realised that we had intuitively started adopting a similar approach,” says D'Antonio, who also is a member of Forrester's security and risk leadership board. “Zero-trust helped us plug the holes and complete the architecture around a true data-and-user-centric operation.”
The zero-trust network framework, in which security is embedded into the network – as opposed to added on after design – offers protection from threats and helps isolate and contain damage if an incident arises, D'Antonio says. Moreover, it offers the bonus of easier compliance with security regulations and standards.
Further, zero-trust can help organisations reduce their threat profile by providing a sense of where their most critical data is stored and how it is transacted, says Phil Agcaoili, CISO at Cox Communications, a broadband communications and entertainment company. Today, most organisations are dealing with network proliferation.
The zero-trust model provides tighter control over data and pinpoints where practitioners must pay attention, Agcaoili says. By using virtualisation technologies, for example, it is possible to create an environment where users can work with data, but never truly have access to it on their endpoint. The model expands on ideas that have been around for some time, but until now haven't been developed as part of a working system that scales and is adaptable to real-world situations, FCC Group's D'Antonio says.
The framework actually echoes ideas presented by a series of computer standards developed during the 1980s and 90s by the US Department of Defense. Named the “Rainbow Series,” the standards are designed to build trusted computer systems, says Ken Ammon, chief strategy officer at access control solutions provider Xceedium. The premise behind the now-defunct program was that trust should be built into systems, instead of granted to users.“Zero-trust is, like many things, a new spin on an old story,” Ammon says.
Adoption proceeds
Many forward-thinking organisations within the financial services, energy, high-tech and retail industries have, over the past several years, been instinctively adopting zero-trust properties, such as the pervasive capture and analysis of network traffic, says NetWitness' Schwartz.
Many are also beginning to rearchitect their enterprise networks to focus on protecting data. Agcaoili says members of his security team at Cox have been familiarising themselves with zero-trust and exploring the costs and benefits of implementing its ideas.
He knows of several other well-known organizations that have already adopted the model. “They created zoned environments for the most critical data and provided remote access capability through virtualized desktops,” he says. The FCC Group has already implemented some zero-trust aspects throughout the organisation, focusing on efforts to gain greater control over insiders and contractors, as well as to ensure all resources are accessed securely, D'Antonio says.
The company's security team has already deployed infrastructure monitoring solutions and a data leakage prevention program and is now concentrating on using NAV tools to increase network visibility. Transitioning the entire network to align with zero-trust designs is a long-term goal. “What makes this model outstanding is the ability to adapt to it and incorporate some bit of the model while the rest of your infrastructure still remains untouched,” D'Antonio says. “This way you can start the transition process at areas of high risk and still run your legacy systems and networks in the old fashion way.”
Drawbacks
While it has received a swath of support, even many proponents of zero-trust agree that the model requires holistic changes that will not come easy. For starters, changing the way people think about security is never an easy task, D'Antonio says. Members of IT departments are used to internal structures that are shaped toward their needs, not geared toward security. “Changing that culture and finding enough clout within the organization is difficult,” he adds.
And while organisations can embrace portions of zero-trust right away, adopting the full model and replacing legacy infrastructures will take some time. For example, FCC Group has made large investments in its network architectural model and changing it will require funds from more than one department's budget, D'Antonio says.
To begin adopting zero-trust, security practitioners should become familiar with all the model's philosophies and architectural ideas, and then look for subnetworks or lab environments where they can start testing them, Kindervag says. Also, regular meetings with networking counterparts should occur to discuss plans and how they can be applied to the overall network architecture.
NetWitness' Schwartz recommends first applying zero-trust methodologies to the most critical aspects of the network, then have a plan to transition, over the next several years, the rest of the network using a risk-based approach.
Key concepts
- Ensure all resources are accessed securely.
- Limit and enforce access control across the enterprise.
- Log and inspect internal and external network traffic.
- Redesign networks from the inside out.
- Adopt a mindset that trust is inappropriate with respect to network security.
- Spread the message across the organisation.
- Set up meetings with counterparts in networking to discuss how zero-trust can benefit the organisation.
- Look for subnetworks where the model can be tested.
- Begin implementing zero-trust ideas, starting with the most critical parts of the network.
- Ask vendors if and how they support zero-trust principles.
- Create a plan to transition the entire network over the next two to three years.